Tag
#git
### Impact A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to [GHSA-6qc9-v4r8-22xg](https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg), but for regex instead of a JSON schema. Issue with more details: https://github.com/vllm-project/vllm/issues/17313 ### Patches * https://github.com/vllm-project/vllm/pull/17623
### Summary Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server ### Details The following API call `(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' ` will provoke a Uncaught exceptions from xgrammer in `./lib64/python3.11/site-packages/xgrammar/compiler.py ` Issue with more information: https://github.com/vllm-project/vllm/issues/17248 ### PoC Make a call to vllm with invalid json_scema e.g. `{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}` `curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temper...
## Summary In the file `vllm/multimodal/hasher.py`, the `MultiModalHasher` class has a security and data integrity issue in its image hashing method. Currently, it serializes `PIL.Image.Image` objects using only `obj.tobytes()`, which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. ## Details - **Affected file:** `vllm/multimodal/hasher.py` - **Affected method:** `MultiModalHasher.serialize_item` https://github.com/vllm-project/vllm/blob/9420a1fc30af1a632bbc2c66eb8668f3af41f026/vllm/multimodal/hasher.py#L34-L35 - **Current behavior:** For `Image.Image` instances, only `obj.tobytes()` is used for hashing. - **Problem description:** `obj.tobytes()` does not include the image’s width, height, o...
This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. ## Description When a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). Our tests revealed that the timing differences caused by matching chunks are significant enough to be recognized and exploited. For instance, if the victim has submitted a sensitive prompt or if a valuable system prompt has been cached, an attacker sharing the same backend could attempt to guess the victim's input. By measuring the TTFT based on prefix matches, the attacker could verify if their guess is correct, leading to potential leakage of private information. Unlike token-by-token sharing mechanisms, vLLM’s chunk-based approach (PageAttention) processes tokens in larger units (chunks). In our tests, with chunk_size=2, the timing differences became noticeable enough to allow ...
### Summary A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Service (ReDoS) attacks. These patterns, if fed with crafted or malicious input, may cause severe performance degradation due to catastrophic backtracking. #### 1. vllm/lora/utils.py [Line 173](https://github.com/vllm-project/vllm/blob/2858830c39da0ae153bc1328dbba7680f5fbebe1/vllm/lora/utils.py#L173) https://github.com/vllm-project/vllm/blob/2858830c39da0ae153bc1328dbba7680f5fbebe1/vllm/lora/utils.py#L173 **Risk Description:** - The regex `r"\((.*?)\)\$?$"` matches content inside parentheses. If input such as `((((a|)+)+)+)` is passed in, it can cause catastrophic backtracking, leading to a ReDoS vulnerability. - Using `.*?` (non-greedy match) inside group parentheses can be highly sensitive to input length and nesting complexity. **Remediation Suggestions:** - Limit the input string length. - Use a non-recursive matching approach, or write a r...
## Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file [`vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py`](https://github.com/vllm-project/vllm/blob/main/vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py) of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. ## Details The following regular expression is used to match tool/function call patterns: ``` r"\[([a-zA-Z]+\w*\(([a-zA-Z]+\w*=.*,\s*)*([a-zA-Z]+\w*=.*\s)?\),\s*)*([a-zA-Z]+\w*\(([a-zA-Z]+\w*=.*,\s*)*([a-zA-Z]+\w*=.*\s*)?\)\s*)+\]" ``` This pattern contains multiple nested quantifiers (`*`, `+`), optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. **Attack Example:** A malicious input such as ``` [A(A= )A(A=, )A(A=, )A(A=, )... (repeated dozens of...
### Summary This advisory addresses an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by an attacker to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits. Open Redirection via `returnUrl` Parameter: An Open Redirection vulnerability exists in the `/s/action/unlock/user.user/0` endpoint. The `returnUrl` parameter, intended for post-action redirection, is not properly validated. This allows an attacker to craft a URL that, when clicked by a user, redirects them to an arbitrary external website controlled by the attacker. ### Mitigation Update Mautic to a version that properly validates or sanitizes the `returnUrl` parameter to ensure that redirects only occur to trusted, internal URLs or explicitly whitelisted domains.
### Summary This advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the `cloneAction` of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones. ### Mitigation Update Mautic to a version that implements proper authorization checks for the `cloneAction` within the `ListController.php`. Ensure that users attempting to clone segments possess the appropriate creation permissions. ### Workarounds None If you have any questions or comments about this advisory: Email us at [email protected]
### Impact A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. ### Patches Patched version ensure proper validation of the headers and do not allow downgradin...
### Impact This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. In `ui/src/app/shared/components/urls.ts`, the following code exists to parse the repository URL. https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26 Since this code doesn't validate the protocol of repository URLs, it's possible to inject `javascript:` URLs here. https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/repo.tsx#L5-L7 As the return value of this function is used in the `href` attribute of the `a` tag, it's possible to achieve cross-site scripting by using `javascript:` URLs. Browsers may return the proper ho...